By the end of this chapter, the reader should be able to explain the arising of risks via outsourcing activities to third-party service providers. Also, the elements of an effective program to manage outsourcing risk should be described by the learner after the chapter. Furthermore, due diligence performance on third-party service providers by financial institutions should also be well understood by the learner. Finally, the chapter will give a description of the topics and provisions to be addressed in a concert with a third-party service provider.
Risk from the Use of Service Providers
Various risks are presented to financial institutions when third-party providers are used to performing operational functions. The involvement of a service provider introduces some risks and yet others are inherent to the outsourced activity itself. Financial institutions can be exposed to risks causing regulatory action, financial loss, litigation, and reputation loss if the application of service providers is ineffectively managed. The following risks should be taken into consideration by financial institutions prior to entering into while managing outsourcing risk:
- The failure to comply with applicable U.S. laws and regulations by a service provider’s products, services, or activities leads to the arising of compliance risk.
- When a limited number of service providers dispense outsourced services or products, then concentration risk arises.
- The public can form a negative opinion about a financial institution due to the actions or poor performance of a service provider. This leads to reputational risk.
- Engagement of a foreign-based service provider by a financial institution leaves the institution exposed to possible economic, social, and political conditions and events from the country the provider is located. This causes country risk to arise.
- When an institution is exposed to losses attributed to inadequate or failed internal processes, systems or from human error by a service provider, then operational risk arises.
- A financial institution exposed to legal expenses and likely lawsuits by a service provider faces legal risks.
The Responsibilities of Board of Directors and Senior Management
The board of directors and senior management of a financial institution do not get relieved of their responsibility to ensure that the conduction of outsourced activities happens in a manner that is safe and sound and complies with applicable laws and regulations.
The board of directors or an executive committee of the board should establish and approve the policies governing the use of service providers. A service provider’s risk management program should be established by these policies to address the risk assessments and due diligence standards for contract provisions and considerations, ongoing monitoring for service providers, and business continuity and contingency planning.
Making sure that the policies approved by the board for the use of the service provider are executed appropriately is the responsibility of senior management. To adhere to policies that govern outsourcing arrangements, the senior management has to report regularly to the board of directors.
Service Provider Risk Management Programs
The service provider risk management program of a financial institution should be risk-focused and provide oversight and controls aligned with the risk level presented by the outsourcing arrangements.
The outsourced activities with a substantial effect on the financial conditions of a financial institution should be the focus of the service provider’s risk management programs. Criticality, complexity, and various outsourced business activities are relied on by the depth and formality of the service provider risk management program.
Financial institutions with many service providers for their business activities may find the need of using many more elements than the one stated above.
The following are the core elements usually included in effective programs:
- Assessments of risk;
- Selection of service providers and due diligence;
- Provisions of contracts and considerations;
- Incentive compensation review;
- Oversight and monitoring of service providers; and
- Business continuity and contingency plans.
The decision of whether or not to outsource is greatly influenced by a business activity’s risk assessment and the implications of having the activity in-house or performed by a service provider. The consistency of outsourcing an activity with an organization’s strategic direction and overall business strategy should be determined by a financial institution.
The institution should then analyze the benefits and risks of outsourcing the activity and its risk and determine the aftermath of establishing the outsourcing arrangement. The management should consider the ability of qualified and experienced service providers to perform the service on an ongoing basis.
The ability and expertise of the financial institution to provide appropriate oversight and management of the relationship with the service provider should also be considered by the management.
The updating of the risk assessment should also be at appropriate intervals and consistent with the service provider risk management program of the financial institution.
Due Diligence and Selection of Service Providers
The necessary due diligence for a prospective service provider should be conducted by a financial institution before employing the service provider.
Variations in formality and the depth of the due diligence performed will be affected by the scope, complexity, and importance of the planned outsourcing arrangement, the familiarity of the financial institution with the prospective service providers, and the reputation and industry standing of the service provider.
The service provider should be reviewed based on the following factors in the overall due diligence process:
- The background, strategy, and reputation of the business;
- The financial performance and overall conditions; and
- Operations and internal controls.
I. Business Background, Reputation, and Strategy
The status of a service provider in the industry should be reviewed by the financial institutions, including the corporate history and qualifications.
For the qualifications and competencies of the service provider to be assessed, there should be an evaluation of the experience of the service provider in providing the proposed service. Moreover, there should be an evaluation of the business model of the service provider ranging from its business strategy and mission to service philosophy, quality initiatives, and organizational policies.
To ascertain the performance record and verify any required licenses and certifications, the references of the service provider should be checked by the financial institution. It should also verify if any pending legal or regulatory compliance issues are associated with the prospective service provider and its principals.
II. Financial Performance and Condition
The service provider’s financial condition and its closely-related affiliates should be reviewed by the financial institution.
The following may be included in the financial review:
- The latest financial statements and annual report of the service provider, based on outstanding commitments, capital strength, liquidity, and operating results;
- The sustainability of the service provider;
- The business relationship’s effect of the financial institution on the financial condition of the service provider;
- The commitment of the service prodder to the provision of the contracted services to the financial institutions to the contract’s duration;
- The service provider’s insurance coverage adequacy;
- How adequate is the review of the financial condition of any subcontractors by the service provider?; and
- Other current issues likely to be faced by the financial provider, with the potential of affecting the future financial performance.
III. Operations and Internal Controls
An important point to make here is that it is the responsibility of the financial institution to make sure that there is compliance by the services provided with applicable laws and regulations and consistency with safe banking practices.
There is the need for a review of the following factors depending on the characteristics of the outsourced activity:
- Internal controls
- Facilities management
- Security of systems
- The financial institution confidential information’s privacy protection
- Records retention and maintenance
- Business resumption and contingency planning
- Maintenance and development of systems
- Support and delivery of service
- Background checks on employees
- Adherence to public laws, regulations, and supervisory guidance.
Contract Provisions and Considerations
The service contract and legal issues associated with proposed outsourcing arrangements should be well understood by the financial institutions. The definition of the terms of service agreements should be in written contracts reviewed by the legal counsel of the financial institution before the execution. The following are the elements of well-defined contracts and service agreement:
- Scope: Each party’s rights and responsibilities should be clearly defined, including:
- Support, maintenance, and customer service
- Contract timeframes
- Compliance with the laws, regulations, and regulatory guidance that are in place
- Training of the employees of the financial institution
- The ability to subcontract services
- How the required statements are distributed or disclosed to the customers of the institution
- Requirement of insurance coverage
- The terms that govern the application of the property, equipment, and staff of the financial institution.
- Cost and compensation: All fees to be paid for non-recurring items and special requests, variable charges, and compensation should be described in the contracts. The responsibility of each party for the payment of any legal, audit, and examination fees linked to the activity performed by the service provider should also be addressed in the agreement. It is the duty of the financial institution to make sure that potential incentives to take imprudent risks on the institution’s behalf are not provided by any incentives.
- Right to audit: The service provider of an institution can be audited by the institution or its representatives as provided by the agreements. They can also access audit reports. The types of audit reports received by the institution and the frequency of the audits and reports should also be defined in the agreements.
- Performance standards: They should also be established and monitored. The measurable performance standards should be defined in the agreements for the provided services and products.
- Confidentiality and security of information: The security and confidentiality of both the confidential information and the clients’ information of the financial institution should be ensured by the service providers and should show consistency with the laws, regulations, and supervisory guidance that are applicable. In addition, the application of financial institution information and its client information by the service provider should be addressed in the service agreements. In the event that any of the Non-public Personal Information (NPPI) of the clients in the financial institution are handled by the service providers, then there must be compliance with applicable privacy laws and regulations by the service providers. Some legal requirements should be made part of the contracts between the institution and any service provider proving storage, processing, and/or transmission of the NPPI data. This should happen in case of a breach or compromise of the NPPI data.
- Ownership and license: The abilities and circumstances whereby service providers can apply financial institution property needs to be defined in the agreements and includes data, hardware, software, and intellectual property. Any information given by the service providers need also to be addressed by the agreements to ascertain its ownership and control.
- Indemnification: For all claims against the financial institution due to the negligence by the service provider, the service provider indemnification of the financial institution should be provided in the agreements.
- Default and termination: The events of a contractual default, acceptable remedies, and opportunities for a default to be cured should be well defined in the agreements. Termination rights should also be included in the agreements. Additionally, the termination and notification requirements giving financial institutions enough time for services to be transferred to another service provider should be included in the contracts.
- Dispute Resolution: To expedite problem-solving and address continuation of arrangement between parties in times of dispute resolution, the process of resolving disputes should be included in the agreements.
- Limits on liability: There may be a necessity for the liability of service providers to be limited contractually by the service providers themselves. The reasonability of the proposed limitations compared to the institution’s risks in case of performance failure by the service provider should be ascertained by the senior management and the board of directors.
- Insurance: Proof of insurance should be provided to the financial institutions by service providers who have adequate insurance. The financial institutions should also be notified of any material changes in their insurance coverage by the service providers.
- Customer complaints: Financial institutions and service provider’s responsibilities relating to complaints by customers should be specified in the agreements. Summary reports should be provided in the agreements to the institutions tracking the status and resolution of the complaints, in case service providers are charged with the resolution of customer complaints.
- Business resumption and contingency plan of the service provider: In case of operational failure, the continuation of services provided by the service providers should be addressed in the agreements.
- Foreign-based service providers: An inclusion of the choice of law and jurisdictional provisions should be considered by financial institutions for the agreements with service providers who are foreign-based. This will ensure that all disputes the two parties are adjudicated under the laws of a single specific jurisdiction.
- Subcontracting: In case subcontracting is allowed in the agreements, similar contractual provisions should be used to the subcontractor. The subcontracted services, the due diligence process for engaging and monitoring subcontractors by the service provider, and approval requirements should be defined by agreements.
Incentive Compensation Review
For any incentives compensation embedded in service provider contracts to be reviewed and approved, an effective process should be put in place by the financial institution. This should include the adequacy of the existing governance and controls with respect to the risks arising from the incentives compensation arrangements.
There should be a consideration by the institution about whether service providers might be encouraged by the incentives to take imprudent risks since it is the duty of service providers to represent the institution by selling its products and services.
Oversight and Monitoring of Service Providers
Acceptable performance metrics should be established, determined by the business line or relationship management to be indicative of acceptable performance levels. This has the effect of effectively monitoring the contractual requirements.
Personnel responsible for oversight and management for service providers should have the appropriate levels of expertise and stature to manage the outsourcing arrangement.
Risk mitigation plans should be tailored and implemented for higher-risk service providers to include processes like additional reporting or heightened monitoring.
Service providers exhibiting performance, financial compliance, or control concern have to be frequently and stringently monitored. The monitoring level can be lessened for lower-risk service providers.
The adequacy of the provider’s control environment should be assessed by the financial institutions to ensure their relationship with the service providers is significant. There should be a review of the available audits or reports in the assessments.
The institution may also need to elevate its monitoring of the service provider due to security incidences at the service provider.
Escalation of Oversight Activities
Triggers should be included by the risk management processes to escalate the oversight and monitoring in case of failure by the service provider to meet the performance, compliance control, or the viability expectations.
A criterion to engage alternative outsourcing arrangements and terminate the service provider contract if identified issues are inadequately addressed should be developed by the financial institution.
Business Continuity and Contingency Considerations
The ability of a service provider to give contracted services may be affected by various events. The contingency plans of a financial institution should focus on critical services provided by the service providers, and a consideration of alternative arrangements in case of failure by the service providers to perform.
The following are critical considerations in the preparation of contingency plans:
- There should be a disaster recovery and business continuity plan with respect to the contracted services and products;
- The adequacy and effectiveness of a service provider’s disaster recovery and business continuity plan and its alignment to their own plan should be assessed;
- The roles and responsibilities of for the maintenance and testing of service provider’s business continuity and contingency plans should be documented and tested;
- To have adequacy and effectiveness, there should be some periodic testing of the service provider’s business continuity and contingency plans; and
- The exit strategy should be maintained; this includes a pool of comparable service providers.
Additional Risk Considerations
The Reporting Functions of Suspicious Activity Report
The complexity in the outsourcing of any SAR-related function is due to the confidentiality of suspicious activity reporting. The risks associated with using service providers to perform some suspicious activity reporting function based on the Bank Secrecy Act (BSA) should be identified and monitored by the financial institutions.
Foreign-Based Service Providers
Foreign-based service providers should comply with the US laws and regulations and regulatory guidance that are in place. The laws and regulations of the foreign-based service provider’s country or regulatory authority on the ability of the institution to perform on-site reviews of the service providers operations should be taken into consideration by the financial institution.
The existing guidance on the engagement of independent public accounting companies and other professionals who are external to perform duties previously executed by internal auditors should be referred to by the financial institution.
Risk Management Activities
Various risk management activities may be outsourced by the financial institution. The service provider’s information demonstrating the evidence of the development that explains the components, designs, and intended use of the product to determine the appropriateness of the product/service for exposures and risks should be provided as required by the financial institution.
1) Which of the following tasks is NOT necessarily executed by the financial institution in the course of preparing contingency plans?
- Ensuring that there is the existence of a disaster recovery and business continuity plan, regarding the services and products contracted.
- The service provider’s disaster recovery and business continuity plan should be assessed by the financial institution to ensure they align with that of their own.
- The business continuity and contingency plan of the service provider should be tested on a periodic basis by the financial institution to ensure they are adequate and effective.
- The financial institution should ensure that the foreign-based service providers are complying with their country’s regulations and regulatory guidance.
The correct answer is D.
Ensuring compliance to the rules and regulations and regulatory guidance in the country which the financial institution is located, despite being important and done by the financial institution, is not necessarily a task related to preparing contingency plans.